serbuvlad 8 days ago

I don't get the hate on

"curl ... | sudo bash"

Running "sudo dpkg -i somepackage.deb" is literally just as dangerous.

You *will* want to run code written by others as root on your system at least once in your life. And you *will not* have the resources to audit it personally. You do it every day.

What matters is trusting the source of that code, not the method of distribution "curl ... | sudo bash" is as safe as anything else can be if the curl URL is TLS-protected.

2
yusina 7 days ago

> Running "sudo dpkg -i somepackage.deb" is literally just as dangerous.

And it's just as bad an idea if it comes from some random untrusted place on the internet.

As you say, it's about trust and risk management. A distro repo is less likely to be compromised. It's not impossible, but more work is required to get me to run your malicious code via that attack vector.

1 reply
serbuvlad 7 days ago

Sure.

But

    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
is less likey to get hijacked and scp all my files to $REMOTE_SERVER than a Deb file from the releases page of a random 10-star github repository. Or even from a random low-use PPA.

But I've just never heard anyway complain about "noobs" installing deb packages. Ever.

Maybe I just missed it.

1 reply
blibble 7 days ago

> But I've just never heard anyway complain about "noobs" installing deb packages. Ever.

it is literally in the debian documentation: https://wiki.debian.org/DontBreakDebian

> One of the primary advantages of Debian is its central repository with many thousands of software packages. If you're coming to Debian from another operating system, you might be used to installing software that you find on random websites. On Debian installing software from random websites is a bad habit. It's always better to use software from the official Debian repositories if at all possible. The packages in the Debian repositories are known to work well and install properly. Only using software from the Debian repositories is also much safer than installing from random websites which could bundle malware and other security risks.

menzoic 8 days ago

At least the package is signed. Curl can against a url that got high jacked

2 replies
serbuvlad 7 days ago

It's singed by a key that's obtained from a URL owned by the same person. Sure, you can't attack devices already using the repo, but new installs are fair game.

And are URLs (w/ DNSSEC and TLS) really that easy to hijack?

1 reply
tart-lemonade 7 days ago

> And are URLs (w/ DNSSEC and TLS) really that easy to hijack?

During the Google Domains-Squarespace transition, there was a vulnerability that enabled relatively simple domain takeovers. And once you control the DNS records, it's trivial to get Let's Encrypt to issue you a cert and adjust the DNSSEC records to match.

https://securityalliance.notion.site/A-Squarespace-Retrospec...

SparkyMcUnicorn 8 days ago

Packages can get hijacked too.

1 reply
lionkor 8 days ago

What is the difference between a random website or domain, and the package manager of a major distribution, in terms of security? Is it equally likely they get hijacked?

1 reply
lucianbr 7 days ago

The issue is not the package manager being hijacked but the package. And the package is often outside the "major distribution" repository. That's why you use curl | bash in the first place.

Your question does not apply to the case discussed at all, and if we modify it to apply, the answer does not argue your point at all.